Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Please Help......Cannot route SMTP to internal interface (http://www.velocityreviews.com/forums/t35198-please-help-cannot-route-smtp-to-internal-interface.html)

mack 09-01-2004 07:10 AM

Please Help......Cannot route SMTP to internal interface
 
I've been playing around with the configuration of our router after
researching a lot of other posts on recommended acl configurations.
I've finally been able to get it so most things are working.

However....if I apply the "DIALER_OUT" ACL to the internal interface
of "fastEthernet0" I cannot receive any external emails to our
exchange server. We're able to send externally though.

This is the config I have, any help would be appreciated as I don't
know where else to look now.

Thanks.

------------
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PB_RTR1
!
logging queue-limit 100
enable secret 5 <removed>
enable password <removed>
!
username <removed> password <removed>
ip subnet-zero
!
!
ip name-server 192.168.3.10
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group clients
key <removed>
dns 192.168.3.10
domain <removed>
pool clientpool
!
!
crypto ipsec transform-set dessha esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set dessha
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
ip address 192.168.3.1 255.255.255.0
ip nat inside
speed auto
half-duplex
!
interface Dialer1
ip address negotiated
ip access-group DIALER_IN in
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ntp disable
no cdp enable
ppp chap hostname <removed>
ppp chap password <removed>
crypto map clientmap
!
ip local pool clientpool 192.168.5.1 192.168.5.254
ip nat pool ovrld <removed> <removed> prefix-length 24
ip nat inside source route-map nonat pool ovrld overload
ip nat inside source static tcp 192.168.3.20 80 <removed> 80
extendable
ip nat inside source static tcp 192.168.3.20 25 <removed>72 25
extendable
ip nat inside source static tcp 192.168.3.20 110 <removed> 72 110
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended DIALER_IN
permit tcp any host 192.168.3.20 eq smtp
permit tcp any host 192.168.3.20 eq pop3
permit ip <removed> 0.0.0.255 host <removed>
permit ip host <removed> host <removed>
permit ip any host <removed>
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit ahp any any
permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
permit icmp 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
remark Standard WWW services
permit tcp any any eq www
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 22
permit tcp any any eq ident
remark Microsoft RDP
permit tcp any any eq 3389
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark ICMP
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended DIALER_OUT
permit tcp any host 192.168.3.20 eq smtp
permit ip any host <removed>
permit ip any host <removed>
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit ahp any any
permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip any host 255.255.255.255
permit icmp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
remark WWW Standard services
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq nntp
permit tcp any any eq 22
permit tcp any any eq telnet
remark Windows Media
permit tcp any any eq 1755
remark Microsoft RDP
permit tcp any any eq 3389
permit tcp any any eq 5631
permit tcp any any eq 5632
permit icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended addr-pool
ip access-list extended ailer_in
ip access-list extended default-domain
ip access-list extended group-lock
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended service
ip access-list extended tunnel-password
!
access-list 10 permit 192.168.3.0 0.0.0.255
access-list 111 permit ip 192.168.3.0 0.0.0.255 any
access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
!
route-map nonat permit 10
match ip address 111
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end

PES 09-01-2004 09:50 AM

Re: Please Help......Cannot route SMTP to internal interface
 

"mack" <shane@mica.qld.edu.au> wrote in message
news:555559e8.0408312310.748c40f9@posting.google.c om...
> I've been playing around with the configuration of our router after
> researching a lot of other posts on recommended acl configurations.
> I've finally been able to get it so most things are working.
>
> However....if I apply the "DIALER_OUT" ACL to the internal interface
> of "fastEthernet0" I cannot receive any external emails to our
> exchange server. We're able to send externally though.
>
> This is the config I have, any help would be appreciated as I don't
> know where else to look now.
>
> Thanks.
>


Mayge that the first line in DIALER_OUT is backwards. Assuming your mail
server is 192.158.3.20 the line should be

permit tcp host 192.168.3.20 eq smtp any

Also, I recommend using the firewall feature set. Stateful filtering will
make your life easier and your network more secure.
> ------------
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname PB_RTR1
> !
> logging queue-limit 100
> enable secret 5 <removed>
> enable password <removed>
> !
> username <removed> password <removed>
> ip subnet-zero
> !
> !
> ip name-server 192.168.3.10
> !
> ip audit notify log
> ip audit po max-events 100
> vpdn enable
> !
> vpdn-group pppoe
> request-dialin
> protocol pppoe
> !
> !
> !
> !
> !
> crypto isakmp policy 3
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group clients
> key <removed>
> dns 192.168.3.10
> domain <removed>
> pool clientpool
> !
> !
> crypto ipsec transform-set dessha esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 10
> set transform-set dessha
> reverse-route
> !
> !
> crypto map clientmap client authentication list userauthen
> crypto map clientmap isakmp authorization list groupauthor
> crypto map clientmap client configuration address respond
> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
> !
> !
> bridge irb
> !
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> bundle-enable
> dsl operating-mode itu-dmt
> !
> interface ATM0.1 point-to-point
> pvc 8/35
> pppoe-client dial-pool-number 1
> !
> !
> interface FastEthernet0
> ip address 192.168.3.1 255.255.255.0
> ip nat inside
> speed auto
> half-duplex
> !
> interface Dialer1
> ip address negotiated
> ip access-group DIALER_IN in
> no ip unreachables
> no ip proxy-arp
> ip mtu 1492
> ip nat outside
> encapsulation ppp
> dialer pool 1
> ntp disable
> no cdp enable
> ppp chap hostname <removed>
> ppp chap password <removed>
> crypto map clientmap
> !
> ip local pool clientpool 192.168.5.1 192.168.5.254
> ip nat pool ovrld <removed> <removed> prefix-length 24
> ip nat inside source route-map nonat pool ovrld overload
> ip nat inside source static tcp 192.168.3.20 80 <removed> 80
> extendable
> ip nat inside source static tcp 192.168.3.20 25 <removed>72 25
> extendable
> ip nat inside source static tcp 192.168.3.20 110 <removed> 72 110
> extendable
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> no ip http server
> no ip http secure-server
> !
> !
> !
> ip access-list extended DIALER_IN
> permit tcp any host 192.168.3.20 eq smtp
> permit tcp any host 192.168.3.20 eq pop3
> permit ip <removed> 0.0.0.255 host <removed>
> permit ip host <removed> host <removed>
> permit ip any host <removed>
> permit udp any any eq isakmp
> permit udp any any eq non500-isakmp
> permit esp any any
> permit ahp any any
> permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
> permit icmp 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
> remark Standard WWW services
> permit tcp any any eq www
> permit tcp any any eq smtp
> permit tcp any any eq pop3
> permit tcp any any eq 22
> permit tcp any any eq ident
> remark Microsoft RDP
> permit tcp any any eq 3389
> remark Anti-spoofing
> deny ip host 0.0.0.0 any
> deny ip host 255.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> remark ICMP
> permit icmp any any echo-reply
> permit icmp any any time-exceeded
> permit icmp any any packet-too-big
> permit icmp any any traceroute
> permit icmp any any unreachable
> deny icmp any any
> deny tcp any range 0 65535 any range 0 65535
> deny udp any range 0 65535 any range 0 65535
> deny ip any any
> ip access-list extended DIALER_OUT
> permit tcp any host 192.168.3.20 eq smtp
> permit ip any host <removed>
> permit ip any host <removed>
> permit udp any any eq isakmp
> permit udp any any eq non500-isakmp
> permit esp any any
> permit ahp any any
> permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
> permit ip any host 255.255.255.255
> permit icmp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
> remark WWW Standard services
> permit tcp any any eq www
> permit udp any any eq domain
> permit tcp any any eq smtp
> permit tcp any any eq 443
> permit tcp any any eq ftp
> permit tcp any any eq ftp-data
> permit tcp any any eq pop3
> permit tcp any any eq nntp
> permit tcp any any eq 22
> permit tcp any any eq telnet
> remark Windows Media
> permit tcp any any eq 1755
> remark Microsoft RDP
> permit tcp any any eq 3389
> permit tcp any any eq 5631
> permit tcp any any eq 5632
> permit icmp any any
> deny tcp any range 0 65535 any range 0 65535
> deny udp any range 0 65535 any range 0 65535
> deny ip any any
> ip access-list extended addr-pool
> ip access-list extended ailer_in
> ip access-list extended default-domain
> ip access-list extended group-lock
> ip access-list extended idletime
> ip access-list extended inacl
> ip access-list extended key-exchange
> ip access-list extended protocol
> ip access-list extended service
> ip access-list extended tunnel-password
> !
> access-list 10 permit 192.168.3.0 0.0.0.255
> access-list 111 permit ip 192.168.3.0 0.0.0.255 any
> access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
> access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
> !
> route-map nonat permit 10
> match ip address 111
> !
> bridge 1 protocol ieee
> bridge 1 route ip
> !
> line con 0
> line aux 0
> line vty 0 4
> password cisco
> login
> !
> end




mack 09-02-2004 01:39 PM

Re: Please Help......Cannot route SMTP to internal interface
 
Thank you. It worked and I had everything back up in no time.

Do you have any samples of recommended setups for the feature set????
This is my next task to tackle.

Cheers


All times are GMT. The time now is 05:11 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.